bpf: Disable file_alloc_security hook - user/sven/linux.git

diff options

author	Amery Hung <ameryhung@gmail.com>	2025-11-26 12:29:26 -0800
committer	Alexei Starovoitov <ast@kernel.org>	2025-11-28 15:18:28 -0800
commit	b4bf1d23dc1da236c92a9d9be68cc63358d1f750 (patch)
tree	aa7657f5b2f59e28de8837e79a422b1fa1440e15 /tools/net/ynl/pyynl/cli.py
parent	19f4091bf2679759da877eb23a37863dc4368441 (diff)

bpf: Disable file_alloc_security hook

A use-after-free bug may be triggered by calling bpf_inode_storage_get() in a BPF LSM program hooked to file_alloc_security. Disable the hook to prevent this from happening. The cause of the bug is shown in the trace below. In alloc_file(), a file struct is first allocated through kmem_cache_alloc(). Then, file_alloc_security hook is invoked. Since the zero initialization or assignment of f->f_inode happen after this LSM hook, a BPF program may get a dangeld inode pointer by walking the file struct. alloc_file() -> alloc_empty_file() -> f = kmem_cache_alloc() -> init_file() -> security_file_alloc() // f->f_inode not init-ed yet! -> f->f_inode = NULL; -> file_init_path() -> f->f_inode = path->dentry->d_inode Reported-by: Kaiyan Mei <M202472210@hust.edu.cn> Reported-by: Yinhao Hu <dddddd@hust.edu.cn> Reported-by: Dongliang Mu <dzm91@hust.edu.cn> Closes: https://lore.kernel.org/bpf/1d2d1968.47cd3.19ab9528e94.Coremail.kaiyanm@hust.edu.cn/ Signed-off-by: Amery Hung <ameryhung@gmail.com> Link: https://lore.kernel.org/r/20251126202927.2584874-1-ameryhung@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>

Diffstat (limited to 'tools/net/ynl/pyynl/cli.py')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: